The AirTag feature, which allows anyone with a smartphone to scan a lost AirTag file to locate owner contact information, can be misused for identity theft, according to a new report shared by KrebsOnSecurity.
When AirTag is set to lost mode, it generates a URL for https://found.apple.com and allows the AirTag owner to enter a contact phone number or email address. Anyone who scans that AirTag is then automatically directed to a URL with the owner’s contact information, without the need to log in or personal information to view the listed contact information.
According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so the person scanning the AirTag may be redirected to a fake login page to iCloud or another malicious website. Someone who doesn’t know that no personal information is required to view AirTag’s data could be tricked into providing them with their “iCloud” login or other personal information, or the redirect could try to download malware.
The lack of AirTags was found by security adviser Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. “I can’t think of another case where such small consumer class tracking devices could be armed at such low prices,” he said.
Rauch contacted Apple on June 20, and it took Apple several months to investigate. Apple told Rauch last Thursday that it would address weaknesses in an upcoming update and asked him not to talk about it in public.
Apple did not answer his questions about whether it would get credit or whether it qualified for the bug reward program, so it decided to share details about the vulnerability due to Apple’s lack of communication.
“I told them, ‘I’m willing to work with you if you can provide some details on when you plan to correct this and whether there will be an acknowledgment or payment of errors in the form of an error,'” Rauch said, noting that he told Apple he planned to release its findings within 90 days of being notified. “Their response was basically,‘ We’d appreciate it if you didn’t post this. “
Last week, security researcher Denis Tokarev announced several vulnerabilities in iOS in zero days after Apple ignored its reports and failed to resolve issues for several months. Apple, meanwhile, has apologized, but the company continues to receive criticism for its bug-rewarding program and the slowness with which it responds to reports.
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.